当前位置: 代码迷 >> Web前端 >> 转 cas配备
  详细解决方案

转 cas配备

热度:297   发布时间:2012-09-07 10:38:15.0
转 cas配置

参考文档

Keytool使用指南:
http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html
?
Tomcat-ssl配置指南:
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

配置过程

1.??????生成 server key :

以命令行方式切换到目录%TOMCAT_HOME%,在command命令行输入如下命令(jdk1.4以上带的工具):?
keytool -genkey -alias tomcat -keyalg RSA -keypass changeit -storepass changeit -keystore server.keystore -validity 3600
用户名输入域名,如localhost(开发或测试用)或hostname.domainname(用户拥有的域名),其它全部以 enter 跳过,最后确认,此时会在%TOMCAT_HOME%下生成server.keystore 文件。
注:参数 -validity 指证书的有效期(天),缺省有效期很短,只有90天。

2.? 将证书导入的JDK的证书信任库中:

这步对于Tomcat的SSL配置不是必须,但对于CAS SSO是必须的,否则会出现如下错误:edu.yale.its.tp.cas.client.CASAuthenticationException:?Unable?to?validate?ProxyTicketValidator。。。
导入过程分2步,第一步是导出证书,第二步是导入到证书信任库,命令如下:
keytool -export -trustcacerts -alias tomcat -file server.cer -keystore??server.keystore -storepass changeit
keytool -import -trustcacerts -alias tomcat -file server.cer -keystore? %JAVA_HOME%/jre/lib/security/cacerts -storepass changeit
如果有提示,输入Y就可以了。
其他有用keytool命令(列出信任证书库中所有已有证书,删除库中某个证书):
keytool -list -v -keystore D:/sdks/jdk1.5.0_11/jre/lib/security/cacerts
keytool -delete -trustcacerts -alias tomcat? -keystore? D:/sdks/jdk1.5.0_11/jre/lib/security/cacerts -storepass changeit

3.? 配置TOMCAT?:

修改%TOMCAT_HOME%\conf\server.xml,以文字编辑器打开,查找这一行:
xml 代码
  1. <!---->??
将之后的那段的注释去掉,并加上 keystorePass及keystoreFile属性。
注意,tomcat不同版本配置是不同的:

Tomcat4.1.34配置:

xml 代码
  1. <!---->??
  2. ???<Connector?className="org.apache.coyote.tomcat4.CoyoteConnector"??
  3. ???????????port="8443"?enableLookups="true"?scheme="https"?secure="true"??
  4. ???????????acceptCount="100"??
  5. ???????????useURIValidationHack="false"?disableUploadTimeout="true"??
  6. ???????????clientAuth="false"?sslProtocol="TLS"? ??
  7. ???????????keystoreFile="server.keystore"? ??
  8. ???????????keystorePass="changeit"/>??

Tomcat5.5.9配置:

?
xml 代码
  1. <!---->??
  2. <Connector?port="8443"?maxHttpHeaderSize="8192"??
  3. ???????????maxThreads="150"?minSpareThreads="25"?maxSpareThreads="75"??
  4. ???????????enableLookups="false"?disableUploadTimeout="true"??
  5. ???????????acceptCount="100"?scheme="https"?secure="true"??
  6. ???????????clientAuth="false"?sslProtocol="TLS"? ??
  7. ???????????keystoreFile="server.keystore"? ??
  8. ???????????keystorePass="changeit"/>??

Tomcat5.5.20配置(此配置同样可用于Tomcat6.0)
?

xml 代码
  1. <!---->??
  2. <Connector?protocol="org.apache.coyote.http11.Http11Protocol"? ??
  3. ?????????????????????port="8443"?maxHttpHeaderSize="8192"??
  4. ???????????maxThreads="150"?minSpareThreads="25"?maxSpareThreads="75"??
  5. ???????????enableLookups="false"?disableUploadTimeout="true"??
  6. ???????????acceptCount="100"?scheme="https"?secure="true"??
  7. ???????????clientAuth="false"?sslProtocol="TLS"???????????????? ??
  8. ???????????keystoreFile="server.keystore"? ??
  9. ???????????keystorePass="changeit"/>??

Tomcat6.0.10配置:
xml 代码

  1. <Connector?protocol="org.apache.coyote.http11.Http11NioProtocol"??
  2. ???????????port="8443"?minSpareThreads="5"?maxSpareThreads="75"??
  3. ???????????enableLookups="true"?disableUploadTimeout="true"? ??
  4. ???????????acceptCount="100"??maxThreads="200"??
  5. ???????????scheme="https"?secure="true"?SSLEnabled="true"??
  6. ???????????clientAuth="false"?sslProtocol="TLS"??
  7. ???????????keystoreFile="D:/tools/apache-tomcat-6.0.10/server.keystore"? ??
  8. ???????????keystorePass="changeit"/>??
tomcat6支持3种,请参考以下文档:
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html

验证配置

访问 https://localhost:8443/

<connector protocol="org.apache.coyote.http11.Http11NioProtocol"></connector>

Tomcat6.0.10配置:
xml 代码

  1. <Connector?protocol="org.apache.coyote.http11.Http11NioProtocol"??
  2. ???????????port="8443"?minSpareThreads="5"?maxSpareThreads="75"??
  3. ???????????enableLookups="true"?disableUploadTimeout="true"? ??
  4. ???????????acceptCount="100"??maxThreads="200"??
  5. ???????????scheme="https"?secure="true"?SSLEnabled="true"??
  6. ???????????clientAuth="false"?sslProtocol="TLS"??
  7. ???????????keystoreFile="D:/tools/apache-tomcat-6.0.10/server.keystore"? ??
  8. ???????????keystorePass="changeit"/>??
tomcat6支持3种,请参考以下文档:
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html

验证配置

访问 https://localhost:8443/

<connector protocol="org.apache.coyote.http11.Http11NioProtocol"></connector>

  相关解决方案